Summary

When performing an action in a secure screen, such as the sign-in screen, an unauthenticated user can open a python console with system privileges.
This allows a user to escalate Windows privileges from administrator to system.

Pull request(s)

#13487

Limitations

This requires a user to bind a gesture for the wx inspection tool.
The user must also copy their configuration to a secure screen.

Technical details

To enter a secure screen:

• Run an application as administrator, causing the User Access Control dialog to appear
• Enable NVDA to run during sign-in, then lock the desktop and continue to the password entry sign-in screen.

Proof of concept

1. Running NVDA logged into a normal user account, open the NVDA input gestures dialog and bind a gesture to the GUI inspection tool script.
2. In the NVDA General settings panel, copy the current user config to the system config for use on secure screens.
3. Enter a secure screen
4. Execute the gesture you bound to the GUI inspection tool.
5. Execute the gesture and check that the tool starts.
6. Note the python console with system privileges

Workarounds

To prevent unauthenticated users from opening the python console on older NVDA versions:

• run NVDA while logged in, and not in secure mode
• unbind the input gesture for the wx GUI inspection tool
• copy your configuration for use on secure screens
• consider limiting administrator privileges of other users of the device, so that they cannot overwrite this by copying their configuration to secure screens

Timeline

This was reported in late February, after the 2021.3.3 release.
A patch was created to be added to a 2021.3.4 patch release in early March.

Indicators of compromise

Unknown

For more information

If you have any questions or comments about this advisory:

• Email us at info@nvaccess.org